Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 3 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
| const profile = this.mergeProfile(cache, onChainProfile, account); | ||
|
|
||
| const publicName = | ||
| cache?.public_name || this.resolvePublicName(profile, address); |
There was a problem hiding this comment.
On-chain reads still return cached public name
Medium Severity
getProfile and batch getProfileFromAggregates prioritize cache.public_name even when includeOnChain is true. This can return stale public_name that disagrees with fresh on-chain profile fields, so /api/profile and /api/profile?includeOnChain=true may expose inconsistent identity data.
Additional Locations (1)
| "start:dev": "nest start --watch", | ||
| "start:debug": "nest start --debug --watch", | ||
| "start:prod": "node dist/main", | ||
| "start:prod": "node dist/src/main", |
There was a problem hiding this comment.
Production startup points to wrong build entry
High Severity
start:prod now runs node dist/src/main, but this Nest setup builds to dist/main with nest build. This makes production startup look for a non-existent entrypoint, so npm run start:prod fails at runtime.
| const profile = await this.profileContractService.getProfile(address); | ||
| if (!profile) { | ||
| return; | ||
| } |
There was a problem hiding this comment.
Indexer can silently drop profile updates
Medium Severity
refreshAddress returns early when getProfile yields null, but syncProfileChanges still advances last_indexed_micro_time. If contract reads fail transiently and getProfile returns null, those addresses are skipped and their changes are never retried, leaving profile_cache stale.
Additional Locations (1)
1 participant
Note
High Risk
Adds new auth-adjacent X OAuth code exchange and backend signing of attestations using a private key, plus a new scheduled indexer that writes to database cache; misconfiguration or logic errors could impact security posture or load/consistency.
Overview
Adds a new Profile Identity backend slice that integrates with an on-chain
ProfileRegistry_v1contract: a scheduled indexer tracks relevant contract calls via middleware and maintains aprofile_cache, while new/api/profileendpoints serve single, batch, feed, and direct on-chain (dry-run) reads.Introduces
POST /api/profile/x/attestationto mint contract-verifiable signatures for an X username using either an access token or OAuth2 PKCE code exchange; expandsOAuthServicewith X code exchange + improved X token verification and returns providerusernamefor GitHub/Google/X.Wires the new module into
AppModuleand enrichesGET /accounts/:addressresponses with mergedprofile,public_name, andnames; updates env/examples and tooling (new profile env vars, gitignore entries, prod start path) and adds docs/tests plus a referenceuserProfile.tsdemo client.Written by Cursor Bugbot for commit 2db868e. This will update automatically on new commits. Configure here.